Computing Pairings

The pairings above are only useful for cryptography if we have some way of evaluating them efficiently.

The Weil pairing can be considered as a ratio of two instances of the Tate pairing without the requirement for the final exponentiation, thus we continue this section with discussions for evaluating the Tate pairing; the reader may assume that the same methods apply for computing the Weil pairing.

This evaluation requires a function fr,P, for a point P of order r, with a given divisor (f_r,P) = r(P ) − r(O) to be evaluated at a divisor D_Q ∼ (Q) − (O) with support disjoint from that of (fr,P).

The divisor can be easily constructed by taking a random point S 6∈ {P, O} and defining D_Q = (Q + S) − (S), checking that the support is disjoint from sup(f_r,P).

Miller’s algorithm is a polynomial time algorithm for evaluating the Weil [73] and Tate pairings.

3.1.1 Miller’s Algorithm

Instead of first trying to find the function fr,P and then evaluating it at DQ, the ingenious idea behind Miller’s algorithm [72] is to use the linear functions used in the geometric representation of the addition operation to iteratively construct fr,P(D_Q), evaluating at each step. We therefore require that the divisor D_Qsatisfies the slightly stricter condition that it is disjoint from the support of the divisors of all intermediate functions. This idea relies on the important observation [72] that

f_i+j,P = f_i,P · f_j,P ·`_[i]P,[j]P ν_[i+j]P ,

where `_[i]P,[j]P is the line connecting [i]P and [j]P and ν_[i+j]P is the vertical line through [i + j]P (as used for the point addition computation outlined in Chapter 2).

For Miller’s algorithm we first write r in binary form, r =P b_i2ⁱ, bi∈ {0, 1} then we

calculate f₂ⁱ_,P for all bi 6= 0 and use Miller’s observation to put them together to obtain

1: Chose a suitable point S on E

2: Q⁰← Q + S

3: T ← P

4: m ← blog₂(r)c − 1, f ← 1

5: while m ≥ 0 do

6: Calculate l and ν for doubling T

7: T ← 2T

8: f ← f^{2 l(Q}_ν(Q⁰0^)ν(S))l(S) 9: if mth bit if r is 1 then

10: calculate l and ν for addition of T and P

11: T ← T + P

To compute a pairing, the algorithm must evaluate the Miller loop (lines 5 to 15 in Algorithm 1) log(r) times. This is relatively expensive as it requires a lot of extension field arithmetic and r is a large prime (the size of r will be discussed in Section 7).

If there exists a line defined over Fq^k, denoted uO, which passes through O and is not tangent to E such that uO^rf_r,P(O) = 1 then we say that f_r,P is normalised (uO is called a rational uniformiser at O). In this case we can work with Q instead of DQ. This is not restrictive so all further pairings will use f_r,P(Q) instead of f_r,P(D_Q).

In an effort to speed up the computation of the pairing, new pairings have been devel-oped. These pairings have been made more efficient by incorporating observations about the structure of particular types of curves which can lead to shorter Miller loops. The idea of shortening the loop originally came from Duursma and Lee [30] and has been adapted to yield the following pairings:

3.1.2 Eta Pairing

In [8], a generalisation of the work done in [30] resulted in the eta pairing on points of supersingular curves. The eta pairing of points P and Q (Q ∈ hP i, P of order r) is given by

e_T(P, Q) = f_{T ,P}(ψ(Q)),

where T = t − 1 and ψ is a distortion map (as mentioned in §2.3.1).

3.1.3 Ate Pairing

To generalise the Eta pairing to a pairing defined over non-supersingular elliptic curves, the Ate pairingwas developed by Hess, Smart and Vercauteren [46].

All versions of the Ate pairing can be considered as optimised versions of the Tate pairing taking as arguments points from the groups of points formed by the eigenspaces of the Frobenius endomorphism. As explained in §2, all points of order r are defined over F_q^k. If r is a prime divisor of #E(Fq), then there is a group of points of order r defined over Fq. The groups formed by the eigenspaces of the Frobenius endomorphism are: G1 = E[r] ∩ Ker(π_q− [1]) = E(Fq)[r], and G2 = E[r] ∩ Ker(π_q− [q]), the q-eigenspace of the Frobenius endomorphism on E[r].

The Ate pairing is given by:

eT(Q, P ) = fT ,Q(P )^c(qk−1)/N

where T = t − 1 (as for the Eta pairing), N = gcd(T^k− 1, q^k− 1) and c ≡ kq^k−1 mod r.

This gives a non-degenerate, bilinear pairing whenever r - c as it is clear that the Ate pairing evaluates to be a power (by c) of the Tate pairing.

Notice the reversal of parameters (in the Tate pairing the point from G2 is the second argument, in the Ate pairing is is the first). This makes the Miller loop more computation-ally complex as Q is defined over an extension field, but the shortening of the loop means the resulting pairing might be computed faster than the Tate pairing.

3.1.3.1 Twisted Ate pairing

Suppose the elliptic curve E admits a twist of order d, where d | k. From the discussion of [46], there is a unique twist E⁰of E or order d defined over Fq^e (e = k/d) with a group of points of order r. From [46, §IV], there exists a primitive dth root of unity ζ_dsuch that Ker([ζ]π_q^e− 1) is isomorphic to E⁰(Fq^e). We know that E⁰(Fq^e) is stable under πq (as is G2 = E[r] ∩ Ker(πq − [q])) so we may associate G2, a group defined over Fq^k, with E[r] ∩ Ker([ζ]π_q^e− [1]) ∼= E⁰[r] = G⁰2, a group defined over Fq^e.

The (reduced) twisted Ate pairing of P ∈ G1and Q ∈ G⁰2is given by:

e_r(P, Q) = f_T^e_,P(ϕ_d(Q))^(qk−1)/r,

where ϕdis the monomorphism ϕd : E⁰(Fq^e) → E(Fq^k). This shortens the Miller loop when |T^e| < r, resulting in another speedup.

For the supersingular case, taking P, Q ∈ G1 and using the distortion map ψ : G1 → G2recovers the Eta pairing.

The Ate pairing can achieve a Miller loop length as short as log(T ) ∼ log(r^1/φ(k)), a huge improvement over the original Tate pairing. Results of [67] showed that the Ate pairing is always at least twice as fast as the Tate pairing (in the optimal setting).

3.1.3.2 R-ate pairing

Generalising further, the R-ate pairing [61] uses ratios (hence the name) of pairings to achieve shorter Miller loops for even more sets of curves and is currently the most efficient pairing. For D1 and D2 divisors of E, over Fqwith large prime order r, r | #E(Fq) and A, B, a, b ∈ Z with A = aB + b, the R-ate pairing is given as:

R_A,B(D₂, D₁) = f_a,BD2(D₁) · f_b,D2(D₁) · G_aBD2,bD2(D₁),

where GiD,jD is a function with divisor (GiD,jD) = iD + jD − (iD + jD) (for some divisor D).

For the R-ate pairing to be non-degenerate and bilinear, the pair (A, B) must be selected carefully. Let Ti denote qⁱ mod r, the pairs (A, B) which may render the R-ate pairing non-degenerate and bilinear, as given in [61], are:

A = qⁱand B = r,

A = q and B = T1, (where T1< q) A = Ti and B = Tj,

A = r and B = Tj.

3.1.3.3 Optimal Pairings

The Ate and R-ate pairings reduce the length of the Miller loop of the pairing computation, for some families of curves, to log(r^1/φ(k)) from the length log(r) necessary to compute the Tate pairing by computing what is essentially a power of the Tate pairing. In [98], Vercauteren conjectures that log(r^1/φ(k)) is actually a lower bound for the number of Miller operations required to compute a pairing on an elliptic curve with no efficiently computable endomorphisms (apart from the Frobenius endomorphism).

The main idea used by the Ate and R-ate pairings to reduce the length of the Miller loop is to write a multiple of r, c · r, to the base πⁱ_q, where π_qⁱ (i = 0, . . . , k − 1) are the Frobenius endomorphisms. The Ate pairing then computes the cth power of the Tate pairing. Pre-suming that no other efficiently computable endomorphisms exist for a curve, Vercauteren showed that computation of the Miller loop will require at least (1 − ε) log(r^1/φ(k)) itera-tions.

Definition 3.1.1. (Optimal Pairing) A bilinear, non-degenerate pairing over a finite field Fq^k, e : G1×G2→ GT for the groups G1, G2and GT as above, is called an optimal pairing if it can be computed in log(r^1/φ(k)+ ε(k)) basic Miller operations (where ε(k) ≤ log(k)).

In [98], a method for deriving an optimal pairing for most families of elliptic curves is given.